CVE-2026-11301: Chrome LiveCaption Out-of-Bounds Memory Access (CVSS 8.8)
A vulnerability in Google Chrome's LiveCaption feature allows attackers to access memory outside safe boundaries by sending specially crafted network traffic. While Chrome assigned this a low severity rating internally, the vulnerability can lead to information disclosure, data corruption, or system crashes depending on what memory region is accessed. The attack requires user interaction—the user must be running a vulnerable Chrome version and receive the malicious traffic—but no special privileges are needed from the attacker's perspective.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in LiveCaption in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via malicious network traffic. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11301 is an out-of-bounds (OOB) read/write vulnerability (CWE-125) in the LiveCaption component of Google Chrome versions prior to 149.0.7827.53. The flaw stems from improper bounds checking when processing network input, enabling an unauthenticated remote attacker to read or modify memory outside the intended buffer. The vulnerability manifests through malicious network traffic and can result in arbitrary information exposure or potential code execution in certain scenarios, though the latter would depend on additional factors such as heap layout and memory protections in place.
Business impact
Organizations and users relying on Chrome for daily work face potential data exfiltration risks if attackers send crafted network packets to users' machines. For enterprises, this could expose sensitive information visible in memory at the time of exploitation, particularly if users have cached credentials, session tokens, or sensitive documents in memory. The requirement for user interaction lowers the immediate enterprise blast radius, but the high CVSS score reflects the severity of potential outcomes if exploitation occurs. Reputational and compliance implications depend on whether sensitive personal or regulated data is compromised.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability impacts Chrome running on Windows, macOS, and Linux systems. While the CVE references these operating systems in the vendor-products list, the vulnerability itself is in Chrome's code; the OS serves as the platform. Users on any of these operating systems with unpatched Chrome installations are at risk.
Exploitability
The attack requires network proximity in the sense that the attacker must be able to send malicious network traffic to the target. This could occur through various vectors: a compromised network infrastructure, a malicious website, DNS hijacking, or any mechanism allowing the attacker to inject crafted packets toward the victim. User interaction is required—the user must be actively using Chrome at the time the malicious traffic is received. The absence of privilege requirements and the straightforward attack surface (network input) means that once delivery is achieved, exploitation is likely to succeed against vulnerable versions.
Remediation
Update Chrome to version 149.0.7827.53 or later immediately. Administrators managing Chrome across an organization should use Group Policy (Windows) or Mobile Device Management (macOS/Linux) to enforce automatic updates or block older versions. For individual users, enable automatic Chrome updates in Settings > About Google Chrome. As an interim measure until patching is complete, restrict network access from untrusted sources if possible, though this is not a substitute for patching.
Patch guidance
Verify that Chrome has been updated to version 149.0.7827.53 or later by navigating to Chrome menu > Help > About Google Chrome, which will display the current version and auto-update if necessary. For enterprise deployments, consult Google's Chrome Enterprise release notes to confirm the patch version rollout timeline. Test updates in a non-production environment first if your organization manages custom Chrome configurations. Note that this CVE was published June 5, 2026, so patch availability should be confirmed against current vendor advisories.
Detection guidance
Monitor for Chrome version compliance across your infrastructure using Mobile Device Management (MDM) or endpoint detection and response (EDR) tools. Network-based detection is difficult because the malicious input is protocol-agnostic; focus instead on identifying systems still running Chrome versions prior to 149.0.7827.53. If available, enable Chrome crash reporting and monitor for unexpected crashes or memory protection violations in LiveCaption processes. Behavioral detection could flag unusual memory access patterns, though this requires deep packet inspection and may produce false positives.
Why prioritize this
Although Chromium's internal severity assessment was 'Low,' the CVSS 3.1 score of 8.8 reflects a HIGH severity vulnerability due to the combination of remote exploitability without authentication, relatively low attack complexity, and severe impact (confidentiality, integrity, and availability all achievable). Out-of-bounds memory access in a widely used browser component warrants swift patching. Prioritize patching for endpoints handling sensitive data or high-risk users (executives, finance, legal). The lack of active exploitation (KEV not marked) provides a brief window before adversaries likely develop reliable exploits.
Risk score, explained
The CVSS 3.1 vector (8.8 HIGH) reflects: AV:N (network-accessible attack surface), AC:L (low attack complexity—no special conditions needed), PR:N (no prior privileges required), UI:R (user interaction required—user must be using Chrome), S:U (scope unchanged), C:H/I:H/A:H (all three impact categories at maximum). The high score appropriately captures the severity of unrestricted memory access despite the 'Low' Chromium rating, likely because the Chromium rating considered mitigating factors (like Chrome's sandbox) that CVSS does not fully account for in isolation. The UI:R factor prevents this from being a 9.0+, as user presence is necessary.
Frequently asked questions
Does this affect Chrome on mobile devices?
Chrome on Android and iOS would be affected by the same LiveCaption vulnerability if those platforms include the feature. Verify the current version installed and update through the Google Play Store or Apple App Store respectively. Enterprise management tools may be needed to enforce updates on corporate devices.
What is LiveCaption and who uses it?
LiveCaption is Chrome's automated captioning feature for audio and video content, primarily designed for accessibility. Any user with Chrome running and consuming audio/video is potentially exposed if they receive malicious network traffic, regardless of whether they actively use captions.
Can I disable LiveCaption to reduce risk until patching?
Disabling LiveCaption would reduce the attack surface, but patching is the proper remediation. The vulnerability exists in the component code regardless of user-facing settings; full removal or version update is the reliable mitigation.
Is this vulnerability currently being exploited in the wild?
The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no confirmed active exploitation at the time of disclosure. However, that status can change; monitor security advisories for updates and prioritize patching accordingly.
This analysis is based on vulnerability disclosure data as of June 2026. Patch availability, exploitation status, and vendor advisories may change; verify current information with Google Chrome security advisories and your organization's vulnerability management systems. CVSS scores represent a point-in-time assessment and should not be the sole basis for prioritization decisions. This explainer is for educational and threat intelligence purposes; it does not constitute legal or compliance advice. Always follow your organization's patch management and security policies. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library